Managed Service Provider’s Guide to Remote Access Protocols

Nowadays, you’d be hard-pressed to find a managed service provider (MSP) who doesn’t work with remote access protocols on a regular basis. That said, not all remote access methods are equal, and choosing the right protocol is essential in providing the best service to your clients.

Our guide to MSP remote access will help define and compare the different types of remote access protocols, making it easier for you to choose your access methods as well as to explain and recommend the most suitable remote protocols to your clients.

What are remote access protocols?

A remote access protocol manages the connection between a remote access server and a remote computer and is an essential part of desktop sharing and help desk activities.

There are several different ways to remotely access a client’s endpoint, some of which are more secure or easier to use than others.

Types of remote access protocols

The following are the primary remote access protocols in current use:

Point-to-Point Tunneling Protocol (PPTP)

PPTP is used to create virtual connections using TCP/IP and PPP so that two networks can use the internet as their WAN link yet retain private network security.

With PPTP, the internet is used to create a secure session between the client and the server. Also known as a virtual private network (VPN), this type of connection is significantly less expensive than a direct connection.

PPTP is often used to connect several LANs while avoiding the costs of leased lines. However, there are possible disadvantages associated with this protocol:

• PPTP isn’t available on all types of servers.
• PPTP is more difficult to set up than PPP.
• Tunneling can reduce throughput.
• PPTP is not a fully accepted standard.
• This protocol is restricted to 128-bit encryption.
• For all these reasons, PPTP generally shouldn’t be used for MSP environments.

Methods to implement PPTP

It’s possible to implement PPTP in two ways.

First, you can set up two servers: one to act as the gateway to the internet and another to handle the tunneling. In this case, the workstations will run normally without any additional configuration. This method is preferred for connecting and accessing entire networks.

The second option is to configure a single, remote workstation to connect to an organization’s network online. This workstation is configured to connect to the internet, and the VPN client is configured with the address of the VPN remote access server.

Point-to-Point Protocol (PPP) and Point-to-Point Protocol Over Ethernet (PPPOE)

Point-to-Point Protocol (PPP) is most commonly used for remote links to LANs and ISPs, and it uses the Link Control Protocol (LCP) to communicate between the PPP client and the host. This protocol transmits TCP/IP over point-to-point connections, such as serial and parallel connections.

PPP has largely replaced the outdated Serial Line Internet Protocol (SLIP) as it

• can support several network protocols,
• supports error checking, and
• can be used across more types of physical media.

Because PPP can automatically configure TCP/IP and other remote access parameters, it’s considered easier to set up, but it’s incompatible with some older configurations.

Part of this ease-of-use improvement is due to the Dynamic Host Configuration Protocol (DHCP) support that SLIP lacks. This layer of the TCP/IP protocol stack assigns TCP/IP addressing information, including host IP address, subnet mask, and DNS configuration.

Independent Computing Architecture (ICA) Protocol

Citrix WinFrame (or MetaFrame) products use the Independent Computing Architecture (ICA) protocol to allow multiple thin clients to take control of a virtual computer and use it as if it were their desktop.

The idea behind this approach is that an organization can invest into or upgrade a single computer and use their legacy equipment or less expensive workstations as simple access terminals. When resource needs increase, the company can simply replace or upgrade the server and, in turn, improve the speed and capability of all users.

That said, the biggest downside is the cost of the server. The organization must essentially buy a server equivalent to multiple desktops and shoulder the associated cost.

The Citrix or Terminal Server client uses the ICA protocol to communicate with the server, which works on several different platforms (there are ICA clients for all major client OSes, including Windows, MacOS, and Linux). Furthermore, Citrix now supports HDX, adaptive transport, and connection optimizations.

Modern equivalents of clients that use ICA include desktop as a service (DaaS), containerized desktop delivery, HTML5 remote web clients, and Microsoft’s Remote Desktop Services/RemoteApp.

Remote Desktop Protocol (RDP)

Our final entry is Remote Desktop Protocol (RDP), which is utilized to access Windows Terminal Services, a technological cousin to Citrix WinFrame.

RDP offers the same core functions as ICA, and apart from Windows, RDP clients exist on other OSs like Linux and macOS. It also supports more advanced features, such as network-level authentication, Transport Layer Security (TLS), RD Gateway, etc.

Despite all that, it isn’t recommended to expose RDP directly to the internet; instead, it’s more ideal to leverage jump hosts or zero-trust gateways.

Remote access tools for MSPs

As you can see, you have plenty of choices when it comes to remote desktop access. It can be hard for an MSP to determine which ones they should choose (and for which use cases).

For instance, RDP is great for Windows machines on a LAN but isn’t always supported. Virtual Network Computing (VNC) using a protocol like ICA is a viable alternative but comes with its tradeoffs in costs.

Scaling is always a concern for MSPs, of course. One of the above protocols might be all you need for simple use cases and small LANs, but it’s a different story entirely when managing multiple assets across multiple customer sites.

One of the biggest issues MSPs have to contend with is security. While RDP traffic is encrypted and VNC is often routed through IPsec or SSH tunnels, exposing those services over the internet isn’t recommended.

To use these protocols securely, tight policies must be implemented across the board, including:

• strong passwords,
• certificates,
• firewalls,
• multi-factor authentication (MFA),
• device posture checks,
• monitoring and auditing,
• behavioral detection, and
• microtunnels.

All of them must be defined, implemented, and enforced across multiple endpoints at multiple customer sites. In addition, it greatly helps to implement stringent access policies and practices in your network that are widely used today, such as:

• a zero-trust architecture,
• least-privilege access,
• just-in-time access, and
• conditional access.

Consider NinjaOne for managing your remote access protocols

Several commercial tools that aim to simplify remote access are available in the market, the most prominent in the MSP space being remote monitoring and management (RMM).

In particular, NinjaOne has built a reputation in the MSP space as a reliable, effective, and secure RMM solution. It

streamlines your MSP workflows and gives you multitenant, remote desktop access directly from the same system you use for ticketing, asset management, monitoring, and automation.

To help MSPs navigate remote access best practices and avoid common pitfalls, we’ve put together a short video guide: Remote Access Best Practices for MSPs and IT Pros.

If you want to get quick answers and insights on NinjaOne RMM, check out our FAQ page.

Your remote support process just got stronger. Watch Managed Service Provider’s Guide to Remote Access Protocols.

Partnering with NinjaOne for secure remote access

NinjaOne is here to help MSPs manage their business efficiently and securely. Thousands of users utilize our cutting-edge and easy-to-use RMM platform to navigate the complexities of modern IT management.

Not a Ninja partner yet? We still want to help you streamline your managed services operation. Visit our blog for MSP resources and helpful guides or sign up for Bento to get important guidance in your inbox.

If you’re ready to become a NinjaOne partner, schedule a demo or start your 14-day free trial to see why thousands of customers have already chosen NinjaOne as their partner in secure remote management.